CVE-2026-34415
Published: 22 April 2026
Summary
CVE-2026-34415 is a critical-severity Incomplete List of Disallowed Inputs (CWE-184) vulnerability. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 46.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the incomplete input validation vulnerability by enforcing proper validation of file extension inputs in the elFinder connector to block PHP-executable extensions like .php4.
Mitigates the vulnerability by requiring timely remediation of the specific flaw through application of available patches that fix the incorrect regex pattern.
Provides additional protection by restricting file upload inputs to only safe, non-executable extensions, complementing validation to prevent malicious PHP uploads.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables unauthenticated exploitation of a public-facing web application (T1190) to upload and execute malicious PHP code functioning as a web shell (T1100) for arbitrary OS command execution.
NVD Description
Xerte Online Toolkits versions 3.15 and earlier contain an incomplete input validation vulnerability in the elFinder connector endpoint that fails to block PHP-executable extensions .php4 due to an incorrect regex pattern. Unauthenticated attackers can exploit this flaw combined with authentication…
more
bypass and path traversal vulnerabilities to upload malicious PHP code, rename it with a .php4 extension, and execute arbitrary operating system commands on the server.
Deeper analysisAI
CVE-2026-34415 is an incomplete input validation vulnerability in the elFinder connector endpoint of Xerte Online Toolkits versions 3.15 and earlier. The issue arises from an incorrect regex pattern that fails to block PHP-executable extensions such as .php4, allowing potentially malicious file uploads.
Unauthenticated attackers can exploit this flaw in combination with separate authentication bypass and path traversal vulnerabilities to upload malicious PHP code, rename it with a .php4 extension, and execute arbitrary operating system commands on the server. The vulnerability has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity with high confidentiality, integrity, and availability impacts.
Mitigation is available through patches in the Xerte Online Toolkits repository, including commits 02661be88cc369325ea01b508086bde7fbfec805, 17e4f945fe6a3400fa88c01eda18c1075ee4a212, and 507d55c5e91bf9310b5b1c7fad8aebfef902ad23. The issue is tracked at https://github.com/thexerteproject/xerteonlinetoolkits/issues/1527, and a proof-of-concept for remote code execution is published at https://github.com/bootstrapbool/xerteonlinetoolkits-rce. Affected installations should apply these updates promptly.
Details
- CWE(s)